July 5, 2023
November 2, 2023

Navigating the Evolving Landscape: EPA's Approach to Cybersecurity for Public Water Systems

Navigating the Evolving Landscape: EPA's Approach to Cybersecurity for Public Water Systems

The U.S. Environmental Protection Agency (EPA) has recently expanded the scope of its routine sanitary surveys of public water systems (PWSs) to include cybersecurity considerations. This scrutiny was introduced in an EPA memorandum and a cybersecurity brief created for state officials. The EPA initially mandated that routine sanitary surveys include evaluations of a PWS's cybersecurity to spot deficiencies posing risks to public safety or water supply. The EPA has since withdrawn this memorandum due to court order, but remains committed to helping states protect their water systems, despite legal challenges to its formal mandate..

While these two documents released by the EPA have alerted PWSs to specific deficiencies, the responsibility of addressing and rectifying these deficiencies is still in the hands of the PWSs themselves. Addressing these challenges within the intricate frameworks of PWSs can be daunting. However, BlastWave’s targeted solution supports the EPA's guidance and offers a direct route to robust cybersecurity measures.

Before we delve deeper into the specifics of these supportive measures, it's worth understanding the EPA's initial cybersecurity checklist, which will highlight the potential concerns every PWS should consider.

Understanding EPA's Initial Cybersecurity Checklist for Public Water Systems

The EPA's brief outlines a ten-question checklist for PWS cybersecurity. These questions span various aspects, from inventory management to executive involvement, offering a comprehensive evaluation of a PWS cybersecurity posture.

  1. Inventory Management: Have you cataloged all control system devices and isolated them from external networks?
  2. Network Segregation: Have you classified IT assets and applied firewalls to segregate networks?
  3. Secure Remote Access: Do you facilitate remote access only through secure methods?
  4. Access Roles: Have you implemented role-based controls to manage network access based on job functions?
  5. Password Protocols: Do you require the use of strong and diverse passwords for different accounts?
  6. Vulnerability Awareness: Do you actively monitor and apply necessary system patches and updates?
  7. Mobile Device Security: Have you instituted stringent policies for mobile device usage on networks, including password protection?
  8. Employee Training: Do you provide regular cybersecurity training for all employees?
  9. Executive Involvement: Are executives adequately informed and engaged in cybersecurity matters?
  10. Network Monitoring: Can you quickly detect network intrusions and execute a response plan?

The EPA encourages states to voluntarily review these aspects to proactively identify potential vulnerabilities in public water system cybersecurity.

Understanding Significant Deficiencies in Cybersecurity

According to the EPA, any design, operational, or maintenance flaws in a system—including breakdowns or malfunctions—that posed a contamination risk to the water supply were classified as a “significant deficiency.”

In the realm of cybersecurity, significant deficiencies might refer to a lack of security measures or existing vulnerabilities that present a high likelihood of being exploited. This could manifest in various ways, from the absence of secure remote access controls to unpatched systems vulnerable to cyberattacks. 

Although the recent withdrawal of EPA’s guidance has altered the formal role of states in identifying these deficiencies through sanitary surveys, the responsibility of PWSs remains unchanged. PWSs bear the duty of ensuring the safety of drinking water by identifying and addressing potential vulnerabilities in their systems.

Addressing these issues is an intricate task. The complexity of modern public water systems is evident with the intersection of OT and IT networks, creating a multi-layered ecosystem. This is further complicated by a mix of legacy and modern technologies, and the challenges of remote work dynamics in the current era, creating a web of potential cybersecurity risks.

To mitigate these challenges, BlastWave BlastShield™ offers a laser-focused approach to meet the unique cybersecurity needs of public water systems.

Tackling EPA Cybersecurity Guidelines with BlastShield™

BlastShield™ streamlines the process of securing the systems of a PWS by integrating multiple security controls into a unified solution.

Here’s how BlastShield helps:

  • Network Segregation: BlastShield can segregate assets using micro-segmentation groups and zero-trust policy to provide isolation and local segmentation. BlastShield implements controls at the network layer, meaning protected assets can be rendered invisible to, and isolated from unauthorized users—no additional staff or downtime required.
    • Isolate control system devices: The BlastShield Orchestrator offers a unified dashboard for managing Users, Agents, Groups, Policies, Services, and Proxies, ensuring each employee and vendor only has access to what they need and are authorized for.
    • Prevent Lateral Movement: BlastShield actively prevents unauthorized internal movement on IT and OT networks, substantially reducing potential infiltration pathways to aid in monitoring networks for suspicious activity.
    • Segregate business enterprise and process control systems and require separate credentials for access: Recognizing the need to separate business systems from process control mechanisms, BlastShield ensures a distinct boundary between IT and OT/ICS systems.
  • Secure Remote Access: BlastShield outperforms traditional VPNs in performance and efficiency. It provides zero-trust remote access for each employee and vendor, ensuring secure and seamless entry to on-premise and cloud applications over the BlastShield network.
    • Eliminate Password Vulnerabilities: BlastShield revolutionizes access security by introducing phishing-resistant, passwordless multi-factor authentication (MFA). This approach bypasses the pitfalls of traditional password management and ensures a more secure and user-friendly access experience.
  • Network Cloaking and System Security: BlastShield expertly hides high-risk, unpatched, or inherently weak IT/OT systems, as well as outdated, unpatchable equipment within the protected network, rendering them invisible to unauthorized users.
    • Enhanced Infrastructure Integrity: This strategic invisibility acts as a robust defense mechanism, shielding vulnerable systems from potential threats, ensuring uninterrupted business operations, and prolonging the lifespan of legacy equipment without the immediate need for patches or replacements.

Ready to Fortify Your Cybersecurity Posture?

With the heightened focus on the cybersecurity of PWSs, the importance of evolving cybersecurity measures has never been more pronounced. Tools like BlastShield stand out, offering solutions that cater not just to current needs but also to the rapidly changing landscape of threats.

It's not merely about adhering to safety suggestions—it's about envisioning a safer, more resilient public water system.

With BlastShield, integrating robust cybersecurity becomes part of a larger mission—a fortified, future-focused strategy that equally emphasizes business continuity. Now, more than ever, is the time to reassess and fortify your cybersecurity measures for long-term resilience.

Schedule A Demo: https://www.blastwave.com/schedule-a-demo

OT Secure Remote Access
Network Cloaking
Network Segmentation

Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.

Schedule a Demo